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© Cipher-key distribution system. 



@ The system for distributing a cipher key for use 
in cipher communication by one party with another 
comprises a common file for storing public informa- 
tion in a position indicated by receiving party iden- 
tifying information, and first and second subsystems. 
The first subsystem comprises means for reading 
said public information out of said common file; 
random number generating means; first cipher-key 
generating means; said receiving secret information 
holding means; key distributing code generating 
means and transmitting means for transmitting the 
key distributing code generated by the key distribut- 
ing code generating means and the information for 
identifying the communicating party. The second 
subsystem comprises means for receiving the key 
distributing code and the identifying information from 
^4 said transmitting means of the first subsystem; con- 
^stant holding means; secret information holding 
means; and second cipher-key generating means for 
regenerating a cipher key, which is identical with the 
^cipher-key generated by said first cipher-key gen- 
lf>erating means, on the basis of the key distributing 
OOcode and identifying information from said receiving 
ans, the constant from said constant holding 
O means and the secret information from said secret 
^information holding means. This system avoids ex- 
yjcessive overheads on both the sending and the 
receiving parties if a cr/ptogram is to be sent by an 
existing mail system, and improves the security for 



the authorized use. 
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CIPHER-KEY DISTRIBUTION SYSTEM 



DETAILED DESCRIPTION OF THE INVENTION 



The present invention relates to a key distribu- 
tion system for the one-way communication, from a 
sending party to a receiving party, of a cipher-key 
for use in conventional cryptosystems. 

BACKGROUND OF THE INVENTION 

Well-known prior art key distribution systems 
include the Diffie-Hellman (DH) system and the ID- 
based system. The former is disclosed in Diffie and 
Hellman, "New Direction in Cryptography" in the 
IEEE Transaction on Information Theory, Vol. 22, 
No. 6, p. 644. According to the DH system which 
has in store public information for each commu- 
nicating party, if for instance party A is to commu- 
nicate with party B in cipher, A prepares a cipher- 
key from B's public information Y a and its own 
secret information X A . This method, however, al- 
lows another party to pretend to be an authorized 
party by illegitimately altering public information. 

For information on the latter, the ID-based key 
distribution system, reference may be made to the 
U.S patent No. 4,876,716. This system, which uses 
public identification information such as the name 
of each communicating party to prepare a cipher- 
key, is immune from illegitimate alteration of public 
information. As it requires two-way communication, 
however, there is the problem of imposing too 
great overheads on both the sending and the re- 
ceiving parties if a cryptogram is to be sent by an 
existing mail system. 

The DH key distribution system also involves 
the problem of letting an unauthorized receiver to 
pretend to be an authorized user by altering public 
information. 



SUMMARY OF THE INVENTION 

An object of the present invention is to provide 
a system cleared of the above mentioned dis- 
advantages. 

A first system according to one aspect of the 
invention is a cipher-key distribution system for 
distributing a cipher key for use in cipher commu- 
nication by one party with another, provided with: 
a common file for storing public information in a 
position indicated by receiving party identifying in- 
formation, and first and second subsystems, 
wherein: 

said first subsystem comprises: 



reading means for reading said public information 
out of said common file; 

random number generating means for generating 
random numbers; 

5 first cipher-key generating means for generating a 
cipher key on the basis of a constant, said receiv- 
ing party identifying information given from outside, 
a random number generated by said random num- 
ber generating means and the public information 

io read out by said reading means; 

secret information holding means for holding the 
secret information of the communicating party us- 
ing this subsystem; 

key distributing code generating means for gen- 
rs erating a key distributing code on the basis of said 
constant, said random number and the secret in- 
formation given from said secret information hold- 
ing means; and 

transmitting means for transmitting the key distrib- 

20 uting code generated by the key distributing code 
generating means and the information for identify- 
ing the communicating party, and 
said second subsystem comprises: 
receiving means for receiving the key distributing 

25 code and the identifying information from said 
transmitting means of the first subsystem; 
constant holding means for holding the constant; 
secret information holding means for holding the 
secret information of the communicating party us- 

30 ing this subsystem; and 

second cipher-key generating means for generating 
a cipher key, which is identical with the cipher-key 
generated by said first cipher-key generating 
means, on the basis of the key distributing code 

35 and identifying information from said receiving 
means, the constant from said constant holding 
means and the secret information from said secret 
information holding means. 

A second system according to another aspect 

40 of the invention is a cipher-key distribution system 
for distributing a cipher key for use in cipher com- 
munication by one party with another, provided 
with: 

a common file for storing public information in a 
45 position indicated by receiving party identifying in- 
formation, and first and second subsystems, 
wherein: 

said first subsystem comprises: 
first reading means for reading said public informa- 
50 tion out of said common file; 

secret information holding means for holding the 
secret information of the communicating party us- 
ing this subsystem; 

first cipher-key generating means for generating a 
cipher key on the basis of a constant, receiving 



iNSOOClD: <EP 038551 1A2J_> 



3 



EP 0 385 511 A2 



4 



party identifying information given from outside, the 
public information read out by said first reading 
means and the secret information from said secret 
information holding means; and 
transmitting means for transmitting the information 
for identifying the communicating party using this 
subsystem, and 

said second subsystem comprises: 
receiving means for receiving the identifying in- 
formation given from said transmitting means; 
constant holding means for holding the constant; 
secret information holding means for holding the 
secret information of the communicating party us- 
ing this subsystem; 

second reading means for reading said public in- 
formation out of said common file, and 
second cipher-key generating means for generating 
a cipher key, which is identical with the cipher-key 
generated by said first cipher-key generating 
means, on the basis of the identifying information 
from said receiving means, the constant from said 
constant holding means, the secret information 
from said secret information holding means, and 
the public information given from said second read- 
ing means. 

A third system according to still another aspect 
of the invention has, within the first subsystem of 
the first system, a personal file for storing part of 
the information stored in the common file. 

A fourth system according to yet another as- 
pect of the invention has. within the first subsystem 
or subsystems of at least one of the first, second 
and third systems, verifying means for verifying the 
information read out of the common file. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Other features and advantages of the present 
invention will become more apparent from the fol- 
lowing detailed description when taken in conjunc- 
tion with the accompanying drawings in which: 

FIG. 1 shows preparatory steps for first, third 
and fifth preferred embodiments of the invention; 

FIG. 2 illustrates the first preferred embodi- 
ment of the invention; 

FIG. 3 shows preparatory steps for second, 
fourth and sixth preferred embodiments of the in- 
vention; 

FIG. 4 illustrates the second preferred em- 
bodiment of the invention; 

FIG. 5 illustrates the third preferred embodi- 
ment of the invention; 

FIG. 6 illustrates the fourth preferred em- 
bodiment of the invention; 

FIG. 7 illustrates the preparation for the fifth 
preferred embodiment of the invention, taking place 
after the preparatory steps shown in FIG. 1 ; 



FIG. 8 illustrates the fifth preferred embodi- 
ment of the invention; 

FIG. 9 illustrates the preparation for the sixth 
preferred embodiment of the invention, taking place 
s after the preparatory steps shown in FIG. 3; 

FIG. 10 illustrates the sixth preferred em- 
bodiment of the invention; and 

FIG. 11 illustrates the configurations of the 
first subsystem 101 and the second subsystem 
io 102 shown in FIGS. 2 and 4 through 10. 

In the figures, the same reference numerals 
denote respectively the same constituent elements. 

75 DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

Referring to FIGS. 2, 4, 8 and 10, each of the 
preferred embodiments of the present invention 

20 illustrated therein includes a first subsystem 101, a 
second subsystem 102, an insecure cryptogram 
communication channel 103 for transmitting a cryp- 
togram from the subsystem 101 to the subsystem 
102. an insecure intermediate key communication 

25 channel 104 for transmitting a code Y A for distribut- 
ing a coded key from the subsystem 101 to the 
subsystem 102, a common file 105 for storing 
public information X| containing identifying informa- 
tion IDi, and a line 106 for connecting the common 

30 file 105 and the subsystem 101. The subsystems 
101 and 102 are used by communicating parties A 
and B, respectively. 

First will be described in detail the procedure 
of registration into the common file 105, which is 

35 one of the characteristic features of the present 
invention, with reference to FIGS. 1 through 3. 

This action takes place before a cryptogram is 
transmitted. 

FIG. 1 shows how preparations are made for 

40 the generation of cipher-keys K A and K B in a pre- 
ferred embodiment of the invention. 

First, large prime numbers p and q are se- 
lected (step 11). Then the product n of these two 
large prime numbers p and q is calculated (step 

45 12). Further, t is selected as a number mutually 
prime to (p-l)*(q-l), and a is selected as a positive 
integer smaller than n, which becomes a primitive 
element GF (p) and GF (q) (step 13). After that 
either the subsystem 101 or 102 on the part of a 

50 new subscriber gives a subscription request 23 as 
required. At a key distribution center 100, an in- 
quiry is made as to the presence or absence of a 
subscription request, and the inquiry is continued 
until a subscription request is given (step 14). 

55 When the inquiry at st p 14 finds an affirmative 
reply, identifying information ID; for the pertinent 
subscriber i is set in response to an ID application 
24 by the subsystem 101 or 102 (step 15). Next. 
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by using this identifying information ID it secret in- 
formation Sj is figured out by the following equation 
(step 16): ± 
Sj = (IDi) " t mod n 

where a(mod b) means the remainder of the di- 
vision of a by b. To the . new subscriber i are 
distributed n, a. t ID; and Si, generated at these 
steps 12, 13 and 16 (step 17). 

The system on the part of the new subscriber i 
receives n, a. t, ID ; and the secret information Si 
distributed at step 17 [step 18). Next, another piece 
of secret information (a random number) r t is gen- 
erated (step 19). Then, on the basis of the received 
secret information S if the newly generated informa- 
tion r t and <*. which became a primitive element at 
step 13, public information Xj is generated by the 
following equation (step 20): 
Xj = Si*ttH mod n 

Referring to FIGS. 1 and 3, the generated 
public information Xi is stored into a designated 
address IDj in the common file 105. Then the 
secret information pieces Si and n are stored into 
secret information holding means 1012, n, a and t 
are stored into constant holding means 1013 and, 
at the same time, IDi is stored into identifying 
information holding means 1015 (step 22). Steps 
11 to 17 are assigned to the key distribution center 
100. The identifying information \D h which is as- 
signed by the center to be different from one 
communicating party to another, turns generally 
known pieces of information such as the personal 
name and address into identifying codes according 
to, for instance, the ASCII formula. 

Now wiil be described in detail, with reference 
to FIG. 2, a first preferred embodiment of the 
present invention in which the public information 
stored in the common file 105 is accessed by each 
communicating party. 

It is supposed that, in this first preferred em- 
bodiment a sending party A accesses the common 
file 105, and that, at the key distribution center 100, 
a conversion formula and a common parameter are 
set and personal secret information is distributed 
as shown in FIG. 1. The subsystem 101 generates 
a random number from random number generating 
means 1011 and, at the same time, reads out 
secret information S A from the secret information 
holding means 1012 for A and constants d and n 
from the constant holding means 1013. Then key 
distribution code Y A generating means 1014 gen- 
erates a code Y A as an intermediate cipher-key in 
accordance with: 
Y A = S A *a r (mod n) • 

The code Y A generated by the generating means 
1014 and identifying information ID A for A are sent 
out to the line 104 by transmitting means 1016. 
Code Y A receiving means 1022 of the subsystem 
102 receives the code Y A provided via the line 104 
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and the identifying information ID A . Using the iden- 
tifying information ID A and the code Y A from the 
receiving means 1022, constants t and n from 
constant holding means 1021, and secret informa- 
s tion r 8 from secret information holding means 1028 
for B, cipher-key Ke generating means 1023 gen- 
erates a cipher-key Kb in accordance with: 
K B = (Y A l MD A ) r B(mod n) 

Here Kq =a r B l r (mod n) because Y A = S^a'A 1 = 

w (ID A )- 1# a r A l (mod n). 

There is no need to send second key distribut- 
ing information from the second subsystem 102 to 
the subsystem 101 of the sending party A, be- 
cause public information on the receiving party B is 

is stored in the common file 105 and therefore the 
subsystem 101 for itself can read out this public 
information. 

Thus the subsystem 101 obtains identifying 
information ID B for the receiving party B from out- 

20 side with input means 1017 and. at the same time, 
common file reading means 1018 uses this in- 
formation ID B to read out public information X B on 
B from the common file 105. 

Cipher-key generating means 1 01 9, using 

25 these pieces of information ID B and X B> . generates a 
cipher-key K A in accordance with: 
K A = (X B l *ID B ) r mod n 

Here K A = a r B* rr mod n because Xb 1 = Sb^c/B* 
= (IDeJ-^a'B 1 (mod n). 
30 Therefore, the cipher-key K A generated by the 

cipher-key K A generating means 1019 of the sub- 
system 101 and the cipher-key Kb generated by 
the cipher-key K B generating means 1023 of the 
subsystem 102 become identical, so that key dis- 
ss tribution can be achieved. 

Thus the sending party A can cipher his mes- 
sage with the subsystem 101 by accessing the 
common file 105 with the identifying information 
IDs for the receiving party B. The key can be 
40 generated irrespective of the presence or absence 
of the receiving party B, and the key distributing 
code Y A and the identifying information ID A can be 
transmitted together with the ciphered message. 
An impostor intending to pretend to be a legiti- 
45 mate communicating party i by altering public in- 
formation Xj can do so if he finds X and r to satisfy 
the following equation: 
X* • IDi = a XT mod n 

The difficulty to meet this requirement, however, 
so even in collusion with another legitimate party is 
evident from, for instance. Advances in Cryptology 
- Crypto '87. pp. 196 - 202. This literature further 
explains that, even if said Xj is made public, neither 
Sj nor r it both secret information, can be disclosed. 
55 Next will be described in detail, with reference 

to FIG. 4, a second preferred embodiment of the 
invention, which is characterized by a procedure to 
verify public information after it is read out. 

4 
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First, preparatory steps for the execution of this 
second embodiment will be explained in detail with 
reference to FIG. 3. 

Referring to FIG. 3. first of all, large prime 
numbers p and q are selected (step 11). Next, the 
product n of these two large prime numbers p and 
q is calculated (step 12). Then, t is selected as a 
number mutually prime to (p-1)*(Q-1): a is selected 
as a positive integer smaller than n. which be- 
comes a primitive element in GF(p) and GF(q), and 
further is selected a two-variable one-way function f 
(step 13). After that, either the subsystem 101 or 
102 on the part of a new subscriber gives a sub- 
scription request 23 as required. 

At a key distribution center 100, an inquiry is 
made as to the presence or absence of a, subscrip- 
tion request, and the inquiry is continued until a 
subscription request is given (step 14). When the 
inquiry at step 14 finds an affirmative reply, iden- 
tifying information IDj for the pertinent subscriber i 
is set in response to an ID application 24 by the 
subsystem 101 or 102 (step 15). 

Next, by using this identifying information IDj, 
secret information S f is figured out by the following 
equation (step 16): 
Si = (I0i) 7- mod n 

To the new subscriber 1 are distributed f. n, a, 
t, ID| and Si. generated at these steps 12, 13 and 
16 (step 17). 

The system on the part of the new subscriber i 
receives f, n. a. t, IDj and the secret information Si 
distributed at step 17 (step 18). Next, a randon 
number v { is generated (step 19). Then, on the 
basis of the received secret information Si, the 
newly generated secret information (random num- 
ber) r t and a. which became a primitive element at 
step 13. pieces of public information Ui and Vj are 
generated by the following equation (step 20): 
U; = a l * r i mod n r 
Vj = Si'a ,(U i 10 i > 1 mod n 

Referring to FIGS. 1 and 3. the generated 
public information pieces U s and Vj are stored into 
the common file 105. Then the received secret 
information pieces S; is stored into secret informa- 
tion holding means 1012, n, a and t are stored into 
constant holding means 1013 and, at the same 
time, IDj is stored into identifying information hold- 
ing means 1015 (step 22). 

Steps u to 15 and 23 to 24 are assigned to 
the key distribution center 100. 

Now will be described in detail, with reference 
to FIG. 4, a second preferred embodiment of the 
present invention in which the public information 
stored in th common file 105 is accessed by each 
communicating party. 

it is supposed that, in this second preferred 
embodiment a sending party A accesses the com- 
mon fil 105, and that, at the key distribution center 



100, a conversion formula and a common param- 
eter are set and personal secret information is 
distributed as shown in FIG. 3. The subsystem 101 
generates a random number from random numb r 

s generating means 1011 and, at the same time, 
reads out secret information S A from the secret 
information holding means 1012 for A and con- 
stants n, t and a from the constant holding means 
1013. Then key distribution code Z A and W A gen- 

10 erating means 1014 generates codes Z A and W A 
as intermediate cipher-keys in accordance with: 
Z A = a tr (mod n) 
W A = S A *or rf(Z A ' ID A } (mod n) 
The codes Z A and W A generated by the generating 

75 means 1014 and identifying information ID A for A 
are sent out to the line 104 by transmitting means 
1007. Receiving means 1030 of the subsystem 102 
receives the codes Z A and W A provided via the line 
104 and the identifying information ID A . Using the 

20 identifying information iD A and the codes Z A and 
W A from the receiving means 1030. a function f 
from constant holding means 1021 and the con- 
stants t and n. verifying means 1 024 checks wheth- 
er or not W A l /Z A f(Z A * l0 A ' is equal to ID A (mod n). 

25 If the verifying means 1024 verifies the equal- 

ity, it sends an OK signal to generating means 
1023. 

In response to this OK signal, the cipher-key 
generating means 1023, using secret information r B 
30 from holding means 1028, generates a cipher-key 
Kb in accordance with: 
K 8 = Z A f B(mod n) 
Here. K Q = a 1 r r B[mod n). 

There is no need to send second key distribut- 
35 ing information from the second subsystem 102 to 
the subsystem 101 of the sending party A, be- 
cause public information on the receiving party B is 
stored in the common file 105 and therefore the 
subsystem 101 for itself can read out this public 
40 information. 

Thus the subsystem 101 obtains identifying 
information ID B for the receiving party B from out- 
side with input means 1017 and, at the same time, 
reading means 1018 reads out public information 
45 X 3 on B from the common file 105 in accordance 
with this information ID B . 

Then, verifying means 1010 checks whether or 
not W B 7U B UU B ' 1D B } is e< 3 ual to ID Q (mod n). 

If the verifying means 1010 verifies the equal- 
so ity, it sends an OK signal to generating means 
1019. 

The cipher-key generating means 1019. using 
the public information U B provided from reading 
means 1018, generates a cipher-key K A in accor- 
55 dance with: 

K A = U B r (mod n) 

Here. K A = a 1 r r B(mod n) because U s = a tr B mod 
n. 
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Thus is achieved key distribution as the cipher- 
key K A generated by the cipher-key K A generating 
means 1019 of the subsystem 101 and the cipher- 
key K 8 generated by the cipher-key K B generating 
means 1023 of the subsystem 102 become iden- 
tical. 

An impostor intending to pretend to be a legiti- 
mate communicating party i by altering public in- 
formation U if Vi or key generating information Z u 
Wj can do so if he finds X and Y to satisfy the 
following equation: 
X^ 10 ! > ID, = Y l mod n 

The difficulty to meet this requirement, however, 
ever in collusion with another legitimate party is 
described in t for instance, IEEE Journal on Se- 
lected Areas in Communication, Vol. 7, No. 2, pp. 
290-294. This literature further explains that, even if 
said U|, V, is made public or said 2 lt Wi is tapped, 
neither Si, u nor r can be disclosed. 

Next will be described in detail, with reference 
to FIG. 5, a third preferred embodiment of the 
invention, in which both the first subsystem 101 
and the second subsystem access the common file 
105. 

It is supposed that, in this third preferred em- 
bodiment, a sending party A and a receiving party 
B access the common file 105, and that, at the key 
distribution center 100, a conversion formula and a 
common parameter are set as shown in FIG. 1. 
Referring to FIG. 5, identifying information for the 
receiving party B is entered from input means 
1017. In response to this input, common file read- 
ing means 1018 reads out public information X B on 
B from a position indicated by ID B in the common 
file 105. Cipher-key generating means 1019, using 
secret information r A from secret information hold- 
ing means 1012 for A and constants n and t from 
constant holding means 1009, generates a cipher 
key K A in accordance with: 
K A = (Xe^iDBrAmod n 

Here, K A - « r B 1 r A mod n because X B l = Sb* 
•cr'B 1 = (lD B r 1# ar B (mod n). 

Identifying information 1D A from identifying in- 
formation I Da holding means 1015 for A is supplied 
to receiving means 1031 of the subsystem 102 via 
transmitting means 1008 and a line 104. The in- 
formation ID A supplied from the means 1031 is 
further provided to the common file 105 via reading 
means 1024 and a line 107. The common file 105 
outputs public information X A from a position in- 
dicated by this ID A and this public information X A , 
accompanied by ID A in the reading means 1024. is 
given to the cipher-key generating means 1023. 

The cipher-key generating means 1023, using 
constants n and t from constant holding means 
1021 and secret information r Q from secret informa- 
tion holding means 1028 for B besides these in- 
formation pieces X A and ID A , generates a cipher- 



key Kq in accordance with: 
K s = (Xa^IDaJ'B mod n 

Therefore, key distribution can be achieved if the 
cipher-key K A generated by the cipher-key K A gen- 

s erating means 1019 of the subsystem 101 and the 
cipher-key K B generated by the cipher-key K B gen- 
erating means 1023 of the subsystem 102 become 
identical because: 
K A " or r B* ( * r Amod n = K B 

to Thus, where both the sending party A and the 

receiving party B access the common file 105, the 
subsystem 101 can achieve key distribution merely 
by adding its own identifying information ID A to the 
ciphered message without having to prepare or 

is transmitting a key distribution code. 

Next will be described in detail, with reference 
to FIG. 6, a fourth preferred embodiment of the 
invention, in which both the first subsystem 101 
and the second subsystem access the common file 

20 105. 

It is supposed that, in this fourth preferred 
embodiment, a sending party A and a receiving 
party B access the common file 105, and that, at 
the key distribution center 100, a conversion for- 
25 mula and a common parameter are set as shown in 
FIG. 1. Referring to FIG. 6. identifying information 
for the receiving party B is entered from input 
means 1017. In response to this input, common file 
reading means 1018 reads out public information 
30 U B . V a on B from a position indicated by 1D B in the 
common file 105. 

Verifying means 1010 checks whether or not 
Vs/Ub^b ' ,D B 1 is equal to !D B (mod n). 

If the verifying means 1010 verifies the equal- 
as ity. it sends an OK signal to cipher-key generating 
means 1019. 

Cipher-key generating means 1019, using se- 
cret information r A from secret information holding 
means 1012 for A and a constant n from constant 
40 holding means 1009, generates a cipher key K A in 
accordance with: 
K A = U Q r A mod n 

Here, K A = a'B'^A mod n because U B = 
a r B" rr A(mod n). 

45 Identifying information ID A from identifying in- 

formation ID A holding means 1015 for A is supplied 
to receiving means 1031 of the subsystem 102 via 
transmitting means 1008 and a line 104. The in- 
formation ID A supplied from the means 1031 is 

so further provided to the common file 105 via reading 
means 1024 and a line 107. The common file 105 
outputs public information U A , V A from a position 
indicated by this iD A and public information U Af V A , 
accompanied by ID A in the reading means 1024, is 

55 given to the verifying means 1040. 

Verifying means 1040 checks whether or not 
VA l /U A f(U A * ,D A } is equal to ID A mod n. 

If the verifying means 1040 verifies the equal- 
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ity, it sends an OK signal to cipher-key generating 
means 1041. 

The cipher-key generating means 1041, using 
information U A . a constant n from constant holding 
means 1021 and secret information r B from secret 
information holding means 1028 for B generates a 
cipher-key K B in accordance with: 
K 3 = U A r B mod n 

Therefore, key distribution can be achieved if 
the cipher-key K A generated by the cipher-key 
generating means 1019 of the subsystem 101 and 
the cipher-key K B generated by the cipher-key 
generating means 1023 of the subsystem 102 be- 
come identical because: 
K A = a r B* t#r A mod n = K G 

Next will be described in detail, with reference 
to FIGS. 7 and 8, a fifth preferred embodiment of 
the invention. 

It is supposed that, at the key distribution cen- 
ter 100, a conversion formula, a common param- 
eter and secret information S a are set as shown in 
FIG. 1. 

After the preparatory steps shown in FIG. 1, 
preparations particularly for the fifth embodiment 
are accomplished as described below. 

Referring to FIG. 7, identifying information for a 
receiving party B, with whom a sending party A 
frequently communicate, is entered from input 
means 1017. In response to this input, common file 
reading means 1018 reads out public information 
X B on B from a position indicated by ID B in the 
cotton file 105. 

X B generating means 1032, using Xe from 
reading means 1018 and constants n and t from 
the constant holding means 1009. converts the 
public information Xg into an easier-to-handle form 
in accordance with: 
X B ' = X B l# ID B mod n 

and stores X B ' into the ID B address in a personal 
file 140. 

Next will be described the fifth preferred em- 
bodiment of the invention in further detail with 
reference to FIG. 8. 

Referring to FIG. 8. receiving party identifying 
information input means 1017 enters receiving par- 
ty identifying information ID B . Then judging means 
1033 judges whether or not the converted public 
information X B ' has been stored into the personal 
file 140. In response to an affirmative judgment, 
personal file reading means 1034 provides ID 3 to 
read the public information X B out of the personal 
file 140. Cipher-key generating means 1035, using 
a random number r from random number generat- 
ing means 1011. generates a cipher-key in accor- 
dance with: 
K A ' = 0<sY mod n 

If the judgment by the judging means 1033 is 
negative, the subsystem 101 obtains public in- 



formation X B for the receiving party B from the 
common file 105 with the common file reading 
means 1018 as well as externally provided identify- 
ing information ID 8 for the receiving party B with 

s the input means 1017. The random number gen- 
erating means 1011 generates the random number 
r. Cipher-key generating means 1019, using the 
public information X B and the identifying informa- 
tion ID 8 from the reading means 1018, the random 

io number r from the generating means 1011, and 
constants n and t from constant holding means 
1013, generates a cipher-key K A in accordance 
with: 

K A = (Xb'MDb)' mod n 

75 Both the cipher-key generated by the generating 
means 1035 and that by the generating means 
1019 are K A = a r B tr mod n. Key distributing code 
Y A generating means 1014, after reading out secret 
information S A from secret information holding 

20 means 1012 for A and the constants n and a from 
the constant holding means 1013, uses said ran- 
dom number r to generate a key distributing code 
Y A in accordance with: 
Y A = S A *ct r (mod n) 

25 

The code Y A generated by the generating 
means 1014 and the identify information ID A for A 
are sent out to the line 104 by transmitting means 
1016. Code Y A receiving means 1022 of the sub- 

30 system 102 receives the code Y A and the identify- 
ing information ID A for A. both provided via the line 
104. Using the identifying information ID A and the 
code Y A from the receiving means 1022, the con- 
stants t and n from the constant holding means 

35 1 021, and secret information r B from secret in- 
formation holding means 1028 for the receiving 
party B, generating means 1023 generates a 
cipher-key K B in accordance with: 
Ka s OVMDa^B (mod n) 

40 Here, Ks = a r B tr (mod n) 

Therefore, key distribution can be achieved 
because the cipher-key K A generated by the 
cipher-key generating means 1019 and 1035 of the 
subsystem 101 and the cipher-key «s generated 

45 by the cipher-key generating means 1023 of the 
subsystem 102 become identical. 

Next will be described in detail, with reference 
to FIGS. 9 and 10, a sixth preferred embodimemt 
of the invention. 

so First it is supposed that, at the key distribution 

center 100, a conversion formula, a common pa- 
rameter and s cret information S a are set as shown 
in FIG. 1. 

Preparations for the sixth embodim nt are ac- 
ss complished as described below. 

Referring to FIG. 9, identifying information for a 
receiving party B, with whom a sending party A 
frequently communicate, is entered from input 
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means 1017. In response to this input, common file 
reading means 1018 reads out public information 
U B . V s on B from a position indicated by ID B in the 
common file 105. 

Verifying means 1010 checks whether or not 
V s VU Q f(U B * 10 B } is equal to ID B {mod n). 

If the verifying means 1010 verifies the equal- 
ity, it stores the public information U B into the ID B 
address of the personal file 140. 

Next will be described the sixth preferred em- 
bodiment of the invention in further detail with 
reference to FIG. 10. 

Referring to FIG. 10. receiving party identifying 
information input means 1017 enters receiving par- 
ty identifying information ID B . Then judging means 
1033 judges whether or not the public information 
U B has been stored into the personal file 140. In 
response to an affirmative judgment, personal file 
reading means 1034 provides ID B to read the con- 
verted public information U B out of the personal file 
140. If the judgment by the judging means 1033 is 
negative, common file reading means 1018 reads 
public information U B , V B for B out of a position 
indicated by ID B in the common file 105. 

Verifying means 1010 checks whether or not 
V B VU B ' (U B • 10 B * is equal to ID 3 (mod n). 

If the verifying means 1010 verifies the equal- 
ity, it supplies an OK signal to cipher-key generat- 
ing means 1035. 

The cipher-key generating means 1035, using 
the random number from the random number gen- 
erating means 1011. generates a cipher-key in 
accordance with: 
K A = (U B ) f mod n 

Key distributing code Z A . W A generating 
means 1014, using the random number r from the 
random number generating means 1011, the secret 
information S A from secret information holding 
means 1012, the function f and the constants n, a 
and t from the constant holding means 1013, gen- 
erates key distributing codes Z A and W A in accor- 
dance with: 
Z A = a lr (mod n) 

W A = S A *a r "^ A . id a ) (mod n) 
The codes Z A and W A generated by this generat- 
ing means 1014 and the identifying information ID A 
from holding means 1015 are sent out by transmit- 
ting means 1016. The information ID A and the 
codes Z A and W A transmitted via a line 104 are 
received by receiving means 1030 of the second 
subsystem 102 and, at the same time, provided to 
verifying means 1024. 

Verifying means 1024, using the information 
ID A . the codes Z A and W A , and the function f and 
constants n and t from holding means 1021. 
checks whether or not W A /Z A ,(Z A ■ ,D A * is equal to 
ID A (mod n). 

If the verifying means 1024 verifies the equal- 



ity, it supplies an OK signal to cipher-key generat- 
ing means 1023. 

In response to this signal, the cipher-key gen- 
erating means 1024, using r B from holding means 

s 1028, generates a cipher-key in accordance with: 
K B - Z A 7 B mod n) 
Here, Ka = * trf B (mod n) 

Key distribution is made possible because Ks 
= a trr B (mod n) = K A . 

ro The fifth and sixth preferred embodiments of 

the invention are characterized by the presence of 
the personal file 140 on the first subsystem 101 
side. In this file 140 are stored such pieces of 
information as are frequently used for communica- 

75 tion by the first subsystem 101. Other constituent 
elements of these embodiments are identical with 
the corresponding ones of the first through fourth 
embodiments. This personal file 140 contributes to 
reducing the amount of calculations in the fifth 

20 embodiment when generating a key for the other 
party with whom communication frequently takes 
place. In the sixth embodiment, it makes possible 
dispensation with the verifying means for public 
information on the other party with whom commu- 

25 nication frequently takes place. 

An example of the subsystems 101 and 102 for 
use in the first through sixth preferred embodi- 
ments will be described below with reference to 
FIG. 11. 

30 Referring to FIG. 11, this system comprises a 

terminaJ unit (TMU) 301, which may be a personal 
computer or the like having a function to process 
communication; a read only memory (ROM) 302; a 
random access memory (RAM) 303; a random 

35 number generator (RNG) 304; a signal processor 
(SP) 306; and a common bus 305 to connect the 
TMU 301, ROM 302, RAM 303, RNG 304 and SP 
306 with one another. 

The RNG 304 may consist of, for instance, the 

40 key source 25 disclosed in the U.S. Patent No. 
4,200,700. The SP 306 may be composed of, for 
instance, a CY1024 Key Management Processor 
available from CYLINK. 

The RNG 304 generate random numbers r at 

45 an instruction from the SP 306. In the ROM 407 are 
stored public integers t. a, n and one-way function f 
together with a secret integer S A , ya (for use with 
the subsystem 101) or 7B (for use with the sub- 
system 102). S A , y A and 7B may as well be stored 

so by the user from his TMU into the RAM upon each 
occasion of communication. The above described 
actions are realized in accordance with a program 
stored in the ROM. The RAM 303 is used for 
temporarily storing the interim results of calculation 
55 or the like during the execution of these steps. 

Each of the subsystems 101 and 102 may be a 
data processor of a general-purpose computer or 
an IC card. 
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As hitherto described in detail, the present 
invention provides the benefit of making possible 
safe unidirectionaJ key distribution immune from 
attempts in collusion at illegitimate alteration of 
information. 

While this invention has thus been described in 
conjunction with the preferred embodiments there- 
of, it will now readily be possible for those skilled in 
the art to put this invention into practice in various 
other manners. 



Claims 

1 . A cipher-key distribution system for distribut- 
ing a cipher key for use in cipher communication 
by one party with another, provided with: 
a common file for storing public information in a 
position indicated by receiving party identifying in- 
formation, and first and second subsystems, 
wherein: 

said first subsystem comprises: 

reading means for reading said public information 

out of said common file: 

random number generating means for generating 
random numbers: 

first cipher-key generating means for generating a 
cipher key on the basis of a constant, said receiv- 
ing party identifying information given from outside, 
a random number generated by said random num- 
ber generating means and the public information 
read out by said reading means; 
secret information holding means for generating 
and holding the secret information of the commu- 
nicating party using this subsystem; 
key distributing code generating means for gen- 
erating a key distributing code on the basis of said 
constant, said random number and the secret in- 
formation given from said secret information hold- 
ing means; and 

transmitting means for transmitting the key distrib- 
uting code generated by the key distributing code 
generating means and the information for identify- 
ing the communicating party, and 
said second subsystem comprises: 
receiving means for receiving the key distributing 
code and the identifying information from said 
transmitting means of the first subsystem; 
constant holding means for holding the constant; 
secret information holding means for holding the 
. secret information of the communication party us- 
ing this subsystem; and 

second cipher-key generating means for generating 
a cipher key. which is identical with the cipher-key 
generated by said first cipher-key generating 
means, on the basis of the key distributing code 
and identifying information from said receiving 
means, the constant from said constant holding 



means and the secret information from said secret 
information holding means. 

2. A cipher-key distribution system for distribut- 
ing a cipher key for use in cipher communication 

s by one party with another, provided with: 

common file means for storing public information in 
a position indicated by receiving party identifying 
information, and first and second subsystems, 
wherein: 

70 said first subsystem comprises: 

first reading means for reading said public informa- 
tion out of said common file means; 
secret information holding means for holding the 
secret information of the communication party us- 

75 ing this subsystem; 

first cipher-key generating means for generating a 
cipher key on the basis of a constant, receiving 
party identifying information given from outside, the 
public information read out by said first reading 

20 means and the secret information from said secret 
information holding means; and 
transmitting means for transmitting the information 
for identifying the communicating party using this 
subsystem, and 

25 said second subsystem comprises: 

receiving means for receiving the identifying inforn- 
lation given from said transmitting means: 
second reading means for reading said public in- 
formation out of said common file means; 

30 constant holding means for holding the constant; 
secret information holding means for holding the 
secret information of the communicating party us- 
ing this subsystem; and 

second cipher-key generating means for generating 
as a cipher key, which is identical with the cipher-key 
generated by said first cipher-key generating 
means, on the basis of the constant from said 
constant holding means, the secret information 
from said secret information holding means, the 
40 public information given from said second reading 
means, and said identifying information from said 
receiving means. 

3. A cipher-key distribution system for distribut- 
ing a cipher key for use in cipher communication 

45 by one party with another, as claimed in Claim 1 or 
2,wherein the first subsystem further has a per- 
sonal file for storing part of the information stored 
in the common file. 

4. A cipher-key distribution system for distribut- 
50 ing a cipher key for use in cipher communication 

by one party with another, as claimed in at least 
one of Claims 1. 2 and 3, wherein the first sub- 
system further has verifying means for verifying the 
information read out of the common file. 
55 5. A cipher-key distribution system for distribut- 

ing a cipher key for use in cipher communication 
by one party with another, as claimed in at least 
one of Claims 1 and 3, wherein the second sub- 
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system further has verifying means for verifying the 
information received from said first subsystem. 
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